Straight facts about mac malware

How much malware for Mac is there?

The amount of Mac-specific malware remains negligible compared to other platforms (namely Windows). However, Mac malware is steadily on the rise and it is not just about the numbers anymore. Today a well thought-out and targeted malware can cause damage on an unprotected Mac.

Does my Mac need an antivirus?

The truth is that no operating system is 100% secure. Even if it was, vulnerabilities in applications, such as Java/Java Virtual Machine, can be exploited by malware. A high-performing antivirus adds layers of security, decreasing the exposure to potential threats.

Is Mac OS X malware a recent development?

The first examples of Mac OS X malware go back to 2004 with the detection of OSX/Opener (Renepo). OSX/Leap.A followed in 2006, along with other forms of threats developed against Mac OS X.

Is my Mac vulnerable to Windows malware?

Windows malware does not pose any danger to your Mac, even though a Mac can act as a carrier. This means that you can unwittingly pass along infected files from your Mac to other devices.

Does malware pose a threat for Mac OS X?

In recent years, ESET Malware Research Lab has detected and identified over ten new malware families specifically targeting the Mac OS X platform. For instance Flashback trojan that has infected hundreds of thousands of Mac machines.

Mac Threats in time

  • 2004

    • Amphimix (MP3Concept)

    • Opener (Renepo)

  • 2005

  • 2006

    • Leap

    • Inqtana

  • 2007

    • Jahlav (RSPlug)

  • 2008

    • MacSweep

    • iMunizator

  • 2009

    • Tored

  • 2010

    • Hovdy

    • HellRTS (HellRaiser)

    • OpinionSpy

    • Boonana

  • 2011

    • BlackHole (darkComet, MusMinim)

    • MacDefender

    • Olyx

    • Flashback

    • Revir and Imuler

    • Devilrobber (Miner)

    • Tsunami (Kaiten)

  • 2012

    • Lamadai

    • Sabpab

    • Morcut (Crisis)

Amphimix (MP3Concept)

The first acknowledged OS X malware (not seen in the wild)

This is a Proof of Concept (PoC) Mac Trojan seen early in 2004 that masqueraded as an MP3, using an .MP3 icon. Its main importance is in the timing – it is generally regarded as the first acknowledged OS X malware – rather than its impact: it wasn’t seen “in the wild” and subsequent changes to the Finder effectively countered the vulnerability it exploited.

Its only payload was to display a dialogue box saying “Yep this is an application. (So what is your iTunes playing right now?)” At the same time it launched iTunes and tried to play a 4-second MP3 audio clip of “wild laughter” (apparently a man laughing).


Opener (Renepo)

Shell script with backdoor and spyware functionality

This was a (bash) shell script. The installation required either admin access or physical access to the target machine and write access to system areas and utilities.

Once installed as a Startup Item it was intended to run as root, without any need to invoke sudo (a utility mostly found in Unix-like or Unix-derived operating systems that allows a user account to run system programs at a higher privilege level).

By version 2.3.8, the version usually reported it was installing a variety of backdoor and spyware functionality, stealing a range of configuration/application information and including password cracking and other decryption functionality.

Author DimBulb is credited “for inspiration” by the author of the osxrk rootkit, from September 2004.

# opener 2.3.5a - a startup script to turn on services and gather user info & hashes for Mac OS X
# Originally written by DimBulb
# Additional code: hard-mac, JawnDoh!, Dr_Springfield, g@pple
# Additional ideas and advice: Zo, BSDOSX
# This script runs in bash (as is noted by the very first line of this script)
# To install this script you need admin access or
# physical access (boot from a CD or firewire/usb, ignore permissions on the internal drive) or
# write access to either /Library/StartupItems /System/Library/StartupItems or
# write access to any existing StartupItem (which you can then replace with this script) or
# write access to the rc, crontab, or periodic files (and have them run or install the script) or
# you could trick someone who has an admin account into installing it.
# It should go in /System/Library/StartupItems or /Library/StartupItems (when it is executed it
# will move itself to /System/Library/StartupItems)
# Since it is a StartupItem it will run as root - thus no "sudo" commands are needed. If you run
# it as any other user most of the commands will generate errors! (You could sudo ./opener)
# Save start time and date for performance testing


The first true OS X worm

It appeared at the beginning of 2006 and attracted a great deal of media attention. It used a graphic icon to pass off a Unix executable as a JPG image, claimed to be the latest Leopard Mac OS X 10.5 screenshots, and was spread through the iChat messenger client, using a file called latestpics.tgz.

The malware required user interaction in order to spread, and used Spotlight to infect all the files it found on disk.


Proof-of-Concept worm exploiting a Bluetooth vulnerability

This was a Proof-of-Concept worm targeting OS X systems. It was written in Java and spreads through a directory traversal vulnerability in Apple’s Bluetooth system which was subsequently fixed by the vendor (2005-2006).

It modified the setting of launchd to make sure its code was executed at boot time, thus ensuring persistence (that is, it continued to load at every system reboot).

It attempted to spread by sending OBEX Push requests to other Bluetooth devices, though its spread was limited by the use of a time-limited library version, meaning that it couldn’t spread after 24th February 2006. Inqtana.D significantly developed the attack in that it didn’t require any user interaction in order to install, and once installed the backdoor access was available through Ethernet or Airport, not just Bluetooth.

Jahlav (RSPlug)

DNS Changer

The family of DNS changing malware includes binaries identified as OSX/Jahlav, OSX/DNSchanger, OSX/Puper, OSX/RSPlug (and sundry variations according to individual vendor naming conventions). Some vendors regard it as consisting of more than one family originating with the same author, but such distinctions are not maintained consistently across the vendor community.

This group is also closely related to the Zlob family, associated with similar malicious functionality on Windows platforms. This type of malware was found in great numbers in the wild. It is predominantly found as a DMG file containing an installation package named install.pkg.

It has been distributed using various schemes such as fake codecs, an approach commonly used by malware on other platforms. The ultimate purpose of this malware is to change DNS settings of an infected host, potentially enabling the attacker to alter Internet content accessed from an infected system. A script named preinstall, executed at the beginning of the installer process, performs these malicious actions. A set of shell commands is launched to write the script to disk and execute it. An interesting point relating to OSX/Jahlav is that this threat uses server side polymorphism to generate new copies of its binaries, probably in an effort to evade detection by intrusion detection systems and antivirus software. Script files are also obfuscated using various shell tools such as uuencode, sed, and tail to conceal, vary or reverse the order of the commands and hamper analysis.

ESET threat descriptions:

Related blogs:


First OSX scareware

Also known as Troj/MacSwp-A, OSX_MACSWEEP, MacSweeper, this threat was first reported in January 2008 and is sometimes described as the first OSX scareware (or fake security application).

Most of the descriptive material applying to OSX/MacSweep also applies to iMunizator: in fact, some vendors flag iMunizator as OSX/MacSweep.B, and some sources reported an almost identical screen for both “products” saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC” The program flags a number of perfectly legitimate applications as privacy violations, malware, bad cookies, “compromising files” and so on , and anyone trying to remove them is told they need to buy the MacSweep software.


Rogue AV application

Also known as OSX/Imunisator, Troj/MacSwp-B, OSX_MACSWEEP.B, OSX/AngeloScan, this was first reported in late March, 2008. iMunizator was essentially a retread of OSX/MacSweep (MacSweeper), or “another Rogue AV.”

The “call to action” in this case was again a screen saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC”. Wouldn’t it be nice if you could get an application to clean the Internet?

The program flags a number of perfectly legitimate applications as “trash”, and any victim naive enough to try to remove them is told they need to buy the iMunizator software. Amusingly (in a black sort of way), iMunizator tries to tell you that the apps it flags may compromise the victim’s credit card.



Proof of Concept worm spreading via email

This Proof of Concept malware was discovered in 2009 and called Mac/Tored.AA. The name is a modification of the original name found in the binary file, which was OSX.Raedbot. This worm was able to spread through email using its own SMTP engine.

It could also contact a command and control server on the Internet to receive additional commands. Functionally, it therefore closely resembles certain classic Windows massmailers as well as many bots. However, we have not seen any instance of Mac/Tored.AA in the wild.


Information-gathering spyware

The OSX/Hovdy malware family is a set of scripts designed to gather as much information as possible from a host and send it back to a potential attacker.

In some variants, the information is sent back in an email with the subject Howdy, hence the name. Some variants were programmed as a bash script while other variants are programmed using AppleScript. We saw around a dozen different variants of the OSX/Hovdy script malware.

HellRTS (HellRaiser)

Information-stealing backdoor trojan with remote control capability

This is a backdoor trojan that can be controlled remotely. It attempts to send captured information (including files and screenshots) to a remote machine, using HTTP, FTP, and SMTP.

In order to get sensitive information it displays the following dialog box:


The trojan acquires data and commands from a remote computer or the Internet. It may also:

  • run executable files
  • execute shell commands
  • shut down/restart the computer
  • log off the current user
  • send data to the printer
  • open a specific URL address
  • change the sound volume
  • open the CD/DVD drive
  • play sound/video
  • open web page using user’s default browser
  • watch the user’s screen content

ESET threat description:


Spyware with backdoor and remote control capability

This program was first reported around the beginning of June 2010 and was associated with software calling itself PermissionResearch or PremierOpinion.

This spyware masking itself as a market research utility was offered as part of the installation process for a number of screensavers. It also acted as a backdoor and could be controlled remotely.


ESET threat description:

Related blogs:


Multi-platform social engineering trojan

This Java-based Trojan that attacks Macs, Linux and Windows systems that became notorious in October 2010 spread through social networking sites, passing itself off as a video and using the well-worn “Is this you in this video?” trick reminiscent of Windows malware.

The description suggests a trojan downloader (a Java applet) that executes an installer that in turn modifies system files so that an outside attacker doesn’t need passwords to access the system. Moreover, the trojan checks a C&C server (standard botnet stuff) periodically. There were also reports of the malware being spammed out through email.

When the potential victim runs the "video", a message is generated suggesting that the video can’t be watched without installing special software.


If the trick works, the Java applet runs happily on Windows, OS X and Linux. For Windows systems, however, a registry entry is added, while for OS X, files are copied to /Library/StartupItems and a script called OSX updates is created.

This is very much social engineering-focused malware: its initial attack is on the user, not on the platform, and it isn’t self-launching in the first instance. In other words, the malware requires user consent to be installed. While the (intended) functionality is not dissimilar, the code doesn’t resemble Koobface particularly, which is why ESET hasn’t used that name as an identifier, though some vendors have done so.


Related blog:

BlackHole (darkComet, MusMinim)

Multi-function backdoor trojan

This RAT (Remote Access Tool) came to light early in 2011. It was described as a beta version by its author:

“Welcome to BlackHole RAT. Now this is the Beta Version, and there are funktions. Have Fun;)“


The user interface also includes some German words such as Ablage and Bearbeiten, though the messages are in (more or less) English.

“…I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can’t be infected, but look, you ARE Infected!”


According to comments in the code, there was intended to be a more stable version in due course.

So, Im a very new Virus, under Development, so there will be much more functions when im finished.

However, the darkComet RAT project was declared terminated in June 2012.

BlackHole’s abilities included the following:

  • Execute shell commands remotely.
  • Direct the user’s browser to its own choice of web page.
  • Create a text file on the desktop.
  • Perform shutdown, restart and sleep operations: in fact, it may put up a window from which the user can only escape by letting it reboot the machine as a demonstration of its capabilities.
  • Pop up a fake Finder message asking the victim to enter the administrator password.

The name notwithstanding, there is no obvious connection between this Blackhole and the Black Hole exploit kit.

ESET threat description:


The first major Mac malware

This fake AV has also been reported as calling itself MacProtector, MacDetector, MacSecurity, Apple Security Center, MacGuard, and MacShield. Appearing in May 2011, it is probably the most widespread rogue anti-virus on the Mac to date.

The infection was spread via poisoned search engine results on image searches. When a bad link was followed in a search, the user was presented with an alert that trojans or other threats have been detected on the system.


At the start of the attack, either a simple dialog box over the browser window or a fake Finder window is displayed. The malware was updated over time to present a user interface more like a native OS X application and less like a Windows application. Subsequent variants were also deployed that were capable of installing through a fake Finder window requiring the user to enter administrator credentials. If the victim clicked on the "Cancel" or "Remove All" buttons instead of closing the browser normally (or if necessary, with Force Quit), it was able to install the software anyway. It also took advantage of Safari’s default setting ‘Open “safe” files after downloading’ to download and open the malware automatically.


Once the malware was installed and launched, the victim was told that the software was an Unregistered Copy, and given the option of registering and paying for it.


Related blogs:


A malware-downloading backdoor

A backdoor that allows the infected machine to be controlled remotely, receiving data and instructions for its operation from the Internet or via a remote Command & Control server in a botnet.

It may use known Java exploits to gain access to the victim’s system. The trojan contains an IP address to which it tries to connect over port 80 using TCP.


It may execute the following operations:

  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • various file system operations
  • execute shell commands
  • send the list of files on specific drive to a remote computer

ESET threat description:


The largest Mac botnet to date

OSX/Flashback.A is a trojan that tries to download other malware from the Internet, and at the same time the Flashback botnet is the largest Mac botnet to date. The Flashback attack uses social engineering to entice the user to download and install the malware.

The malware presents a standard and professional looking installer screen to create a backdoor via a dynamic library called Preferences.dylib. Once installed, it uses RC4 encryption to communicate with a remote server, and transmit data such as the users MAC address, OS version, UUID, and more. The malware could also potentially be used to allow the malware author to inject code into the target Mac.

A later variant of OSX/Flashback included exploit code for CVE-2012-0507, a Java exploit also used by the Blackhole exploit kit. This meant that the trojan was able to infect computers without user interaction. Oracle and, later on, Apple released a Java update that addressed the problem.
The malware collects information about the infected computer, its operating system, and system settings, and tries to send the information on to a remote machine. It receives data and instruction from a Command & Control server via HTTP. It quits immediately if Little Snitch is detected on the system and removes itself from the computer.
ESET recommends disabling Java in Safari and OS X, if it is not needed most of the time.

The trojan displays the following picture:


In September 2012, ESET released a comprehensive technical analysis of the Flashback threat.

ESET threat description:

Related blogs:

Revir and Imuler

Dropper/ downloader backdoor with spyware capability

These two examples of malware are usually referred to as distinct threats, even though Revir is the dropper and downloader and Imuler.A is the backdoor that carries the sting.

The malicious application poses as a PDF file, and in fact displays a PDF embedded in its own body. This payload displays some politically contentious Chinese text while the app extracts a downloader that fetches and installs a backdoor Trojan (Imuler). The backdoor is intended to communicate with a C&C (Command and Control) server.

The most striking similarity between this and the techniques used by Windows malware is in the use of a phased infection process using several components. The PDF is not booby-trapped with some kind of 0-day threat, as is so often the case with targeted malware, but is simply a component of the malware, which must be executed before the PDF can be displayed. The Imuler Trojan acquires data and commands from a remote computer whose URL is held within its own body, or from the Internet, using HTTP.

The malware can execute the following operations:

  • capture screenshots
  • send files to a remote computer
  • send various information about the infected computer
  • download files from a remote computer and/or the Internet
  • run executable files
  • extract ZIP archive

ESET threat descriptions:

Related blogs:

Devilrobber (Miner)

Bitcoin-generating spyware using Torrents to spread

The program has been spread hidden inside copies of GraphicConverter, which is a legitimate image editor. However, the infected copies were distributed via Torrent sites such as PirateBay. Like a number of Mac trojans, the program will terminate on infection if it finds Little Snitch installed: otherwise, it will be launched at every reboot.

Devilrobber performs the following malicious activities:

  • Opens ports and listens for C&C servers
  • Steals GPU (Graphics Processing Unit) cycles to generate Bitcoins in order to defraud the Bitcoin service, and if it finds a Bitcoin wallet on the infected machine, steals that too
  • Acts as spyware, forwarding usernames and passwords to a remote server
  • Noses around looking for other stuff like the keychain file, bash history file, Safari history file, and takes and forwards screenshots
  • It may also be looking for files that contain child abuse material

ESET threat description:

Tsunami (Kaiten)

IRC controlled backdoor

This is an IRC controlled backdoor that enables the infected machine to become a bot for Distributed Denial of Service attacks. It contains a hardcoded list of IRC servers and channels that it attempts to connect to.

The malware is a version of the elderly Linux/Tsunami malware (also known as Kaiten), recompiled as a Mach-O binary to run on OS X. Of low risk, but apparently a work in progress: a second version shows some “improvements.”

From 2002, the Linux backdoor Trojan once it managed to install itself was intended to listen for instructions transmitted over IRC. Its command set is focused on various DDoS (Distributed Denial of Service) attacks, but its capability to execute shell commands has the potential for many other types of attack. The list of accepted commands is taken from the comment block in the Linux C source code.


In addition to enabling DDoS attacks, the backdoor can also enable a remote user to download files, such as additional malware or updates to the Tsunami code. The malware can also execute shell commands, giving it the capability to essentially take control of the affected machine.

ESET threat description:

Related blog:


A Backdoor targeting Tibetan NGOs

This was a malware attack targeting Tibetan NGOs (Non-Governmental Organizations). The attack consisted of luring the victim into visiting a malicious website, which then would drop a malicious payload on the target’s computer using Java CVE-2011-3544 vulnerability and execute it.

The webserver would serve a platform-specific JAR (Java Archive) dropper based on the browser’s UserAgent String to infect the user’s Windows or OS X system.

OSX/Lamadai.A has built-in features typical of a backdoor: namely the download and execution of an arbitrary file, uploading of local files to the operator’s Command and Control (C&C) server, and spawning of a command-line shell. It is the Mac OS X payload of a multi-platform attack exploiting the Java vulnerability (CVE-2011-3544) to infect its victims.

The OS X-specific dropper was also served to Linux clients. However, since the dropped payload is designed for OS X only, Linux clients will not be infected. OS X uses the Mach-O file format for its executable files. For OSX/Lamadai.A, the Mach-O executable was compiled for 64-bit only, which is unusual since Mach-O binaries normally contain both the 32-bit and 64-bit versions of the executable.

ESET threat description:

Related blogs:


Backdoor Trojan with remote control capability

The trojan serves as a backdoor. It can be controlled remotely and acquires data and commands from a remote computer or the Internet, using HTTP to contact an URL in its own body. This malware, like the highly prevalent Flashback variant, exploits the CVE-2012-0507 vulnerability.

It can execute the following operations:

  • send the list of files on specific drive to a remote computer
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • run executable files
  • capture screenshots

It seems to have originated on 16th March 2012 or even a little earlier. Reports indicate a link between SabPab (or SabPub – vendor detection names vary) and APT attacks labelled Luckycat. There may even be a link with attacks on Tibetan activists. Later attacks have used Word documents exploiting the CVE-2009-0563 buffer overflow vulnerability in Microsoft Office. The malware’s later variant does not use the Java exploit CVE-2012-0507, so Apple’s updates don’t provide protection for this elderly Office vulnerability.

ESET threat description:

Morcut (Crisis)

Multi-platform spyware trojan

Morcut is an OS X Trojan specific to Snow Leopard and Lion (some reports suggest that it can run on Leopard, but tends to crash): it can install without any action on the part of the user, is persistent (survives reboot), and has rootkit capabilities that are activated if the infected system is running under root.

However, it hasn’t been found in the wild to date: the initial samples were found on VirusTotal. The malicious JAR file includes a Java class file misleadingly called WebEnhancer that checks whether the Java Virtual Machine in which it finds itself is running under Windows or OS X. If the JVM is running under Windows, it installs a version of Swizzor; if it’s OS X, it installs OSX/Crisis.

Crisis isn’t actually the first or only attempt at hardware-independent malware, but the significance of the fact that the attempt is being made should not be underestimated, even though there are more technically interesting aspects to the whole malware package: in particular, the range of activity and data the malware is meant to monitor put it right in the spyware category. The sensitive data it can compromise includes IM transactions, location, keystrokes and mouse movement, contents of the clipboard, running processes, and an assortment of other device and environment information that is tracked.

Related blog: